Level setting: All the firewall tests below communicate with your public IP address. Usually, this is your router. There are, however, three instances where the tests are not communicating with your router. If you are connected to a VPN, the public sees the VPN server, not your router. Likewise, with Tor you end up testing the Tor exit node rather than your router. The third case involves the box your router is directly connected to. If it is just a modem, all is well. However, if it is a gateway device (combination modem, router and perhaps even a telephone adapter) from your ISP, then the device visible to the outside world may be the gateway rather than your router. For your router to be your public face on the Internet, the gateway needs to be put in Bridge mode. This dumbs it down to function only as a modem.

Port Status: An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status.

See what Shodan knows about your router on my Shodan page. A Not Found result is a good thing. Any open ports are bad.

Steve Gibsons Shields UP! is an oldie but goodie.
Stealth is the best status. Closed is OK. Open is bad news. Start with the "Common Ports" test which tests ports: 0, 21, 22, 23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445 1002, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1720 and 5000. Then, move on to the "All Service Ports" which tests all the ports from zero to 1055 and takes about 70 seconds to run. If all is well, it will say "Passed" in green and the status of every port will be "stealth". The passing grade also means that the router does not reply to Ping commands on the WAN port. A perfect report looks like this.
(Alternate URL)

The Speed Guide Security Scan tests 85 ports but does not say which ports it tests. If you register and create an account, then it scans 359 ports. Click the small blue "START" buttonto run the scan. Only a summary report is provided, something like "All 85 scanned ports on youripaddress are filtered (54) or open|filtered (31)" All told, barely useful.

Network Port Checker and Scanner Tool at ipfingerprints.com lets you test an arbitrary range of ports, both for TCP and UDP. And, you can test any online device, not just the router you are connected to. It also has some advanced features. It is based on nmap and uses nmap terminology rather than simple English. They offer a translator from nmap to English.

The website pentest-tools.com offers two port scanners based on nmap.
One is for UDP, the other is
for TCP. It scans the 100 common ports, but does not say what they
are. It never worked for me because it always tries to ping the target and my router blocks pings. You have to enter the IP address to be scanned and
the site does not report your current IP address. It is a free demo for a paid service that costs $45/month. Hard to justify the price when the demo is bad.

The Port Scanners page at WhatsMyIP.org can scan a single port or four different groups of common ports. They don't say if the scans are TCP, UDP or both. A port that does not respond is said to time out.
This does not differentiate between closed and stealthed ports, making it relatively useless.

Shields UP! can also test a single port, a feature called portprobe. There is no GUI interface though, you have to make your own
URL. This example, grc.com/x/portprobe=999, tests port 999 and changing it to test another port is self-explanatory. Many examples in the next section do just this. Gibson does not address TCP vs. UDP, so I have to assume the test is TCP only.

Note that while connected to a VPN, these tests test the VPN server, not your router. Same for Tor. An "open" port responds to unsolicited incoming requests. A "closed" port (a.k.a. "refused" in Nmap lingo) is accessible, but there is no application listening on it. A status of "stealth" (a.k.a. "filtered" to Nmap) means data sent to the port generates no response at all. This is the most secure status. This list is extremely incomplete.

According to the Netlab team at Qihoo 360 the BCMUPnP_Hunter botnet, which first appeared in September 2018, constantly scans for routers with an exposed UPnP interface on port 5431. As of November 7, 2018, the botnet consists of 100,000 routers and it abuses a 5 year old bug. Test
TCP port 5431.

The hacking of MikroTik routers is all over the Router News page. Many of the attacks target Winbox, a Windows application that administers the router. Winbox talks to the router over port 8291. Anyone with a MikroTik router should insure that port 8291 is not open to the Internet. TCP port 8291. In Sept. 2018 one attack on MikroTik routers turned them into SOCKS 4 proxies using the non-standard TCP port 4153. Test TCP port 4153.

In July 2018 a design flaw with FTP in Netgear routers led to the leaking of military documents. No hacking was needed, the owners of many Netgear routers do not change default passwords. The Netgear KB articles on FTP configuration are shameful in their ignoring security issues. Coverage of the hacking is on the Router News page under July 2018. Test TCP port 21.

The WICKED botnet also tries to connect to port 8443, and if successful, tries to exploit a flaw in Netgear R7000 and R6400 routers from March 2017. Test TCP port 8443.

March 2018: Devices running Cisco Smart Install client have TCP port 4786 open by default. It should not be exposed to the Internet, yet over 8 million devices have this port open (see the March 2018 section of the Router Bugs page for more. There was a critical flaw in the Smart Install software. Test TCP port 4786.

March 2017: If you own a video camera, then you may want to read about flaws in thousands of models. In terms of routers, one
of the flaws lets anyone watch the camera. Anyone who connects to TCP port 10554 that is. Test port 10554. (More)

According to SANS, some IoT devices use port 2323 as an alternate port for Telnet. The Mirai botnet scans for IoT devices on both ports 23 and 2323. Test TCP port 2323.

UPnP and SSDP use port 1900 and do not belong on the Internet. They were
intended for LAN use only. This is only supposed to use UDP but its so important, testing TCP too can't hurt. Test TCP port 1900.

Port 7547 is used by a remote management protocol known as either TR-069 or CWMP (Customer Premises Equipment WAN Management Protocol). Some ISPs use this protocol to re-configure your router/gateway/modem. In November 2016, the protocol was abused to attack DSL modems. A device
infected in this attack, will have its port 7547 closed by the malware to prevent new firmware from being installed. In April 2017 Wordfence reported that Thousands of Hacked Home Routers are Attacking WordPress Sites and they
attributed the router hacking to port 7547 being open. They said that Shodan reports over 41 million devices are listening on port 7547. So,
test port 7547.

Some D-Link routers expose port 8181 for a unknown service that had a buffer overflow flaw that let remote unauthenticated attackers run commands on the router. D-Link said they fixed this with firmware released in August 2016. Still, can't hurt to test TCP port 8181.

A bug in some Linksys routers left port 8083 open even if their web interface said that remote management was disabled. You can test for a vulnerable router by browsing to http://1.2.3.4:8083/ where 1.2.3.4 is your public IP address. Vulnerable routers will put you into their admin console, without even asking for a password.

Port 32764 was made infamous in Jan. 2014 when Eloi Vanderbecken found that his Linksys WAG 200G used it as a backdoor. Other Linksys, Netgear and Cisco routers
did the same. See my blog on this: How and why to check port 32764 on your router. But, then it got worse, when in April 2014, the "fix" merely hid the backdoor better.
If your router has version 2 of the backdoor, you can't test for it. But, we can test for version 1 externally with portprobe and internally by pointing a web browser
to HTTP://1.2.3.4:32764 where 1.2.3.4 is the LAN side IP address of the router.

SNMP normally uses UDP, but it has been seen in the wild using TCP. So, what the heck, test
port 161 and
port 162.

LDAP port 389 uses both TCP and UDP. See the UDP section below for links to test each.

NAT-PMP, like UPnP, lets a LAN-resident device poke a hole in the router firewall. It was designed by Apple who uses it for Back to My Mac.
It listens on UDP port 5351. In 2014 it was discovered that over a million devices, connected to the Internet, had this port open on the WAN side. Oops. Some companies making devices with this flaw were Belkin, Netgear, Technicolor,
Ubiquiti and ZyXEL. The Shadowserver Foundation scans for this daily. On Nov. 11, 2016 they found 1.2 million devices exposing NAT-PMP. More here and here.
Test port 5351.

The Asus infosvr service listens on UDP port 9999. It has a buggy history (see here and here and here and here. It is supposed to be a LAN side only issue (see section below on LAN side port testing) still, cant hurt to test it on WAN side too if you have an Asus router. Test port 9999.

If you are not using SNMP, and most people are not, then UDP ports 161 and 162 should be closed. A device running SNMP can be abused in SNMP amplification attacks, a type of DDoS attack. The Shadowserver Foundation scans the Internet for devices that respond to SNMP commands on UDP port 161. In mid-November 2016, they found 3,490,417 such devices.
Test port 161 and
Test port 162.

Port 1233. The Toshiba Service Station application receives commands via this port and was found to be a security issue in December 2015.
More here.
Test it

If you are not using an L2TP VPN then port 1701 should not be open. Not sure if this uses UDP, better safe than sorry.
Test port 1701

Port 631 is used for Internet Printing Protocol with both TCP and UDP. More about this is in the above section on TCP ports

UDP Port testers

The links above, that test individual UDP ports, look like this http://www.speedguide.net/portscan.php?udp=1&port=999
This example would test port 999. SpeedGuide can also test individual ports at their Security Scan page where you can enter any port number and chose to test UDP and/or TCP.

Another website offering UDP port tests is the UDP Port Scan with Nmap page at PentTest-Tools.com. It can test a range of UDP ports, a list of UDP ports or individual ports.

TELNET: Individual LAN side ports can be tested from a computer on the LAN with Telnet. Windows 7 and 8.1 users will have to first install the Telnet client using: Control Panel -> Programs and Features -> click on "Turn Windows features on or off" in the left side column -> Turn on the checkbox for Telnet Client -> Click OK. On OS X ....

To use telnet on Windows, open a Command Prompt window, type
"telnet ipaddress portnumber". For example: "telnet 192.168.1.1 80". There needs to be a space on both sides of the IP address. If the port is closed, Windows will complain that it "could not open connection to the host on port 80: connect failed". If the port is open, the responses vary, you may just see a blank screen. You can also telnet to a computer by name, such as
"telnet somewhere.com 8080"

ID Serve:ID Serve is a small, portable, Internet Server Identification Utility for Windows, created by Steve Gibson. It was written in 2003 and has not been updated since. The initial screen explains its purpose, the Server Query tab is where it does its work. You can query a computer by name (www.amazon.com) or by IP address. It defaults to port 80, but you can force a different port by adding a colon and the port number after the computer name or IP address (no spaces). If data comes back from the query, ID Serve displays it all. This data may identify the server software. If data does not come back, the message, in my experience, will either be "The port is closed, so our connection attempt was refused" or "No response was received from the machine and port at that IP. The machine may be offline or the connection port may be stealthed". ID Serve is limited to TCP (no UDP) and does not support HTTPS.

BROWSER: You can also test a port with a web browser. For example, http://192.168.1.1:999 would test TCP port 999 (of course, modify the IP address
as necessary for your router). I don't think a browser can test a UDP port, it is limited to TCP.

Ports blocked by Comcast: Blocked Internet Ports List. As of Sept. 2017, they block: TCP 0 down, TCP 25 both ways, UDP 67 down, 135-139 in both directions for both TCP and UDP, UDP 161 in both directions, TCP 445 up and down,
UDP 520 up and down, UDP 547 down, TCP 1080 down and UDP 1900 in both directions.

The Home Network Administration Protocol is a network device management protocol dating back to 2007. There are four problems with HNAP. One, is that it has a long history of buggy implementations. It can also tell bad guys technical details of a router making it easier for them to find an appropriate vulnerability to attack. The fact that a router supports HNAP may not be visible in its administrative interface. Worst of all, HNAP often can not be disabled. Four strikes, you're out.

You can test if a router supports HNAP by typing

http://1.2.3.4/HNAP1/

where 1.2.3.4 is the IP address of your router. Of course, every router has two IP addresses one on the public side and one on the private side. I suggest testing for HNAP on each.

If HNAP is enabled, this test displays basic device information about your router in an XML file. See sample output. If it fails, there will be some type of error about the web page not being able to be displayed, perhaps a 404 Not Found error.

If HNAP is enabled, try to turn it off in the router administrative interface and then test again. You may not be able to turn it off. For more, see the HNAP page.

October 26, 2018: Multiple bugs in Linksys E-Series routers were revealed by Talos in October 2018. What was not revealed was a simple way for Linksys owners to check if their routers were vulnerable. According to Jared Rittle, who found the flaws, HNAP can help. Owners can navigate to the official HNAP URL (http://1.2.3.4/HNAP1/) to see the currently installed firmware version (1.2.3.4 is the LAN side IP address of the router). This has the advantage of not needing to know the router password. For the E1200, if the firmware is at or below version 2.0.09, the router is vulnerable. For the E2500, if the firmware is at or below version 3.0.04, it is vulnerable. Owners of other E Series Linksys routers are on their own.

As per Scott Helme's 2014 description of his BrightBox router, try the URL below, where 1.2.3.4 is the IP address of your router. A good result returns nothing but an error message. Here is a sample of a bad result. http://1.2.3.4/cgi/cgi_status.js

In December 2016, Pedro Ribeiro reported on flaws in the Netgear WNR2000 router. If you own a Netgear router, it can't hurt to check for information leakage with the URL below. It may leak the device serial number.http://1.2.3.4/BRS_netgear_success.html

Many Netgear routers had a security flaw in December 2016
(see here and
here for more). The command below tests a Netgear router. If this results in a web page with the word "Vulnerable", then the router is vulnerable. Netgear has issued fixes for all vulnerable routers.
http://www.routerlogin.net/cgi-bin/;echo$IFS'Vulnerable'

This issue with port 32764 is explained above in the TCP Ports to Test section.http://1.2.3.4:32764

In September 2017, security firm Embedi found port 19541 open on many D-Link routers. It responds to commands such as one to reboot the router. They did not find any way to close the port. The default IP address is 192.168.0.1 but the router may also respond to dlinkrouter.local.http://1.2.3.4:19541

If there is a video surveillance system on your LAN, then hopefully it was not made by Xiongmai. In October 2018, SEC Consult published a big expose about the many ways these systems are not secure. The number of security flaws is huge. These devices are re-branded by at least 100 other companies, so to detect a Xiongmai system, they suggest viewing this page from the LAN http://[cameraipaddress]/err.htm
If the page exists and it refers to 'Xiongmai' at all, then read the article by SEC Consult. They also offer other suggestions for identifying Xiongmai hardware. SEC Consult feels that the security is so bad it can not be fixed and that the hardware should be discarded.

UPnP is dangerous because it lets computing devices (typically IoT devices) punch a hole in the routers firewall. This exposes them to the Internet where their poor security, such as default passwords, can be abused. This danger involves UPnP being enabled on the LAN side of the router. I am still looking for a LAN side tester.

UPnP on the WAN/Internet side of a router is a totally different problem. UPnP was never meant to be exposed on the Internet. The online tester below insures that your router does not respond to UPnP requests sent to it over the Internet. For more on why UPnP from the Internet side of a router is an issue at all, see my Jan. 2013 blog Check your router now, before Lex Luthor does.

UPnP is relatively hard to test for as there are two components to the protocol. Discovering UPnP enabled devices is done with the Simple Service Discovery Protocol (SSDP) which listens on UDP port 1900. The actual communication between devices is done via HTTP on varying ports. SSDP tells clients which port to use for HTTP communication. According to Rapid7, the TCP port number varies by vendor and is often chosen at random. Ugh. Their report notes that some Broadcom, D-Link and TP-Link routers use TCP port 5431, some devices use port 80 and still others use 2869.

Steve Gibson added UPnP testing to his ShieldsUP! service in January 2013. On the first page, click on the
gray Proceed button. On the next page, click on the yellow/orange button for GRC's Instant UPnP Exposure Test.

Rapid7 also discontinued their installable
ScanNow program that scanned a LAN for UPnP
enabled devices and reported if the devices were running buggy versions of UPnP software. This was useful to insure that your router was also not responding to UPnP
on the LAN side. The program only ran on Windows and required 32 bit versions of either Java 6 or Java 7. As for why they abandoned ScanNow see ScanNow DLL Search Order Hijacking Vulnerability and Deprecation

A modem is a computer and it too, can have bugs. Chances are the modem as an IP address such as 192.168.100.1. If nothing else, you should try to access
the modem by its IP address so that technical information about your Internet connection is available to you. Also, you want to see what information is available
without a password, some modems expose too much. If there is a password, then change it from the default.

For better security, a router may be able to block access to the modem by blocking its IP address. I blogged about modem access from the LAN side of a router in February 2015. While it can be helpful to directly access the modem, it can also be dangerous. See
Talk to your modem and
Using a router to block a modem. Some routers can do this, some can not. Dumbed down routers, such as the consumer mesh systems (eero, Google Wifi, Ubiquiti AmpliFi, etc) can not do this.

A great way to see if a modem is accessible from the LAN side is to ping it using the command below. Hopefully, the command fails.ping 192.168.100.1
If it is pingable, then test Telnet access to the modem with the command below. Failure is the secure outcome.telnet 192.168.100.1
An other good test is nmap. The simplest command is nmap 192.168.100.1
For a much more comprehensive look at the LAN side of the modem use the below:nmap -v -A -p 1-65535 192.168.100.1

Check IP from VPN provider Perfect Privacy reports connection details (IP address, DNS server, City and Country) for both IPv4 and IPv6. If it doesn't find any IPv6, the message is: "You do not seem to have IPv6 connectivity."

According to the company, RouterCheck "is the first consumer tool for protecting your home router ...
RouterCheck is like an anti-virus system for your router. It protects your router from hackers..." Its an Android app. I have not tried it.

The Avast Wi-Fi Finder can do a network scan to show all devices connected to the network. It also claims to offer a Wi-Fi Security Scan that finds potential security holes and issues on the network.

Technically, WebRTC is not a router thing, it is a web browser thing. This section is here just for the heck of it. Anyone using a VPN needs to run these tests. WebRTC can expose your public IP address which is normally hidden by the VPN. If you use more than one browser, you need to run these WebRTC tests on each one.

Some routers are hacked to generate income from showing ads. This website has no ads. If you see any ads while viewing this web page, then either the router you are connected to has been hacked or your computer has.